Osquery is a free open source, powerful and cross-platform SQL-based operating system instrumentation, monitoring, and analytics framework for Linux, FreeBSD, Windows, and Mac/OS X systems, built by Facebook. It is a simple and easy-to-use operating system explorer.
It combines a number of tools which perform low-level OS analytics and monitoring; these tools reveal an operating system as a high-performance relational database such as MySQL/MariaDB, PostgreSQL and more, where OS concepts are represented in tabular form, thus allowing users to employ SQL commands to carry out system monitoring and analytics.
Osquery use a simple plugin and extensions API to implement SQL tables, there is a collection of tables in existence ready for use, and more are being written. Some tables can only be found on a specific operating system, for instance, you only find the kernel_modules table on Linux systems.
Additionally, you can run queries to monitor and analyze OS state on a single host via the osqueryi shell, or on several hosts on a network via a scheduler or execute them from any of your custom applications using osquery Thrift APIs.
How to Install Osquery in Linux
$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY $ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' $ sudo apt update $ sudo apt install osquery
$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery $ sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo $ sudo yum-config-manager --enable osquery-s3-rpm-repo $ sudo yum install osquery
On Fedora 22+
$ curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery $ dnf config-manager --add-repo --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo $ sudo dnf config-manager --set-enabled osquery-s3-rpm $ sudo dnf install osquery
How to Monitor and Analyze Linux Using Osquery
Once you have successfully installed Osquery on your system, launch the osqueryi shell to start querying the state of your OS as shown.
$ osqueryi Using a virtual database. Need help, type '.help' osquery>
To get a summarized Linux system information run the following command.
osquery> SELECT * FROM system_info;
To get a well formated list of all users on the Linux system, run the following query.
osquery> SELECT * FROM users;
To get a list of all Linux kernel modules and their status, run the following query.
osquery> SELECT * FROM kernel_modules;
To get a list of all installed RPM packages on CentOS, RHEL and Fedora, run the following query.
osquery> .all rpm_packages;
To get a informatin about running Linux processes, run the following query.
osquery> SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';
If you are running osquery on a desktop and have Firefox or Chrome installed, you can list all your add-ons using the following query.
osquery> .all firefox_addons; osquery> .all chrome_extensions;
To display a list of all implemented tables in Linux, use the .tables command as shown.
osquery> .tables; #list all implemented tables osquery> .help; #view help message
Osquery also provides file integrity monitoring (FIM), and process and socket auditing features and more, thus it is an intrusion detection tool, but this calls for certain configurations before you can deploy it for such a purpose. You can find more information from the Osquery Github repository.